Re: [openpgp] Recap of the signature options [was: PQC signature algorithm selection]
Falko Strenzke <falko.strenzke@mtg.de> Tue, 05 March 2024 07:47 UTC
Return-Path: <falko.strenzke@mtg.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31DB5C14F61D; Mon, 4 Mar 2024 23:47:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y5YbsOiSkjTh; Mon, 4 Mar 2024 23:47:29 -0800 (PST)
Received: from www.mtg.de (www.mtg.de [IPv6:2a02:b98:8:2::2]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94146C14F616; Mon, 4 Mar 2024 23:47:27 -0800 (PST)
Received: from minka.mtg.de (minka [IPv6:2a02:b98:8:1:0:0:0:9]) by www.mtg.de (8.18.1/8.18.1) with ESMTPS id 4257lO7l026644 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Tue, 5 Mar 2024 08:47:24 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mtg.de; s=mail201801; t=1709624844; bh=xMj0klGt2/qdlk0iVH+IWmaouuyFZyzrdVHfjLmh2S0=; h=Date:Subject:To:References:From:In-Reply-To; b=KiMkc/2TeuYH8xOpUlGF5jUkSDhF3vpNDK/xUoz/lu3yOBz3st3WqxOb2lxnuhxlE cqku0r9wnTx7y7UNSIT199NVLJjBe7rfjbE+5z2WmeyFiIWuhknMY2R/Av5xMhIkri 8PTdfJ0V0OgyLA4gSJh1xQLDOJz6i4LL2mbOESQ5tjRRwRG2sIzVERUK1FydRVHx99 CK7mF21gS9F9C8gp822gSKjadwnkMUzP/FTLpjlPepXfTVxlhpGtpGr2xiLMLs3bEd gpvU/fNjowcA4gEluUPSQGKhBkL3dmcAq6bqXgF+itqvFrLpvXVkhHzaJb8cv7Ezfw x369W3S+ar3Gw==
Received: from [10.8.0.100] (vpn-10-8-0-100 [10.8.0.100]) by minka.mtg.de (8.18.1/8.18.1) with ESMTPS id 4257lNCQ016234 (version=TLSv1.3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256 verify=NOT); Tue, 5 Mar 2024 08:47:23 +0100
Message-ID: <d73d09e3-c4d2-4181-a891-e0d01b441de1@mtg.de>
Date: Tue, 05 Mar 2024 08:47:22 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-GB
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, "openpgp@ietf.org" <openpgp@ietf.org>
References: <eSTNujDSQ-_B0YtGCoZ-6ZfZdrpf_m3_2mYpLag81M3m6AgB6QlTHsiZ5kM9c6kAfK-g62RKtdnjh0Azc_aqUCSS9XTj2d9HVlcWOBaiqVY=@wussler.it> <87v861y2yl.fsf@kaka.sjd.se>
From: Falko Strenzke <falko.strenzke@mtg.de>
In-Reply-To: <87v861y2yl.fsf@kaka.sjd.se>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms020400050301030000090309"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/u8DHmhcyerqoYaLm0WQjzQnuptQ>
Subject: Re: [openpgp] Recap of the signature options [was: PQC signature algorithm selection]
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 07:47:34 -0000
Am 05.03.24 um 00:47 schrieb Simon Josefsson: > The intention seems to achieve a SV property, am I reading this right? No, at least not in my view. Could you please state what concrete threat should be thwarted by achieving simultaneous-verification (SV) in OpenPGP? I personally cannot think of any system where achieving SV brings a benefit over strong non-separability. SV seems to attempt (that's a fact, it can't ensure, see further down) to prevent the verifier from aborting the signature verification after having verified only one signature. What I don't see is that the verifier ever needs to be or even can be protected from himself. If the verifier isn't a stakeholder for proper verification according to the protocol specifications, then how should a signature scheme that achieves SV prevent him from simply accepting just any signature without any signature verification at all? How is this principally different from verifying only one of the two signatures? > > I would feel more comfortable if PGP relied on a hybrid signature > combiner scheme that offered SV as a cryptographic property rather than > as a somewhat implicit protocol property. And one that were specified > generally and not just for PGP. > > One such scheme could be designed by replacing the two-part component > signature values with just one value that is: > > SHA3(Ed25519.signature > || Ed25519.publickey > || ML-DSA-87.signature > || ML-DSA-87.publickey > || context) Can you please explain or reference this combiner? What is the signature creation, what the verification routine? You cannot possibly mean that the hash value replaces the signature because obviously there is no way for the verifier to compute the signatures... - Falko > > and the verifier has to compare the computed signature against that > value before being able to say ACK or NAK. > > I may be missing something fundamental here, so a question: Are there > any fundamental reasons why a hybrid PQ/T signature scheme for PGP > cannot rely on a opaque signature combiner (like the one that I > suggested above, only better) that provides a SV guarantee? Reversely: > is there any reason PGP must use the separable two-value approach in > section 6.3.1 of draft-ietf-openpgp-pqc? Why do you claim it was separable? It is not separable because OpenPGP hashes the signature algorithm ID as part as meta data in the message digest calculation. - Falko > > /Simon > > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp -- *MTG AG* Dr. Falko Strenzke Executive System Architect Phone: +49 6151 8000 24 E-Mail: falko.strenzke@mtg.de Web: mtg.de <https://www.mtg.de> <https://www.linkedin.com/search/results/all/?fetchDeterministicClustersOnly=true&heroEntityKey=urn%3Ali%3Aorganization%3A13983133&keywords=mtg%20ag&origin=RICH_QUERY_SUGGESTION&position=0&searchId=d5bc71c3-97f7-4cae-83e7-e9e16d497dc2&sid=3S5&spellCorrectionEnabled=false> Follow us ------------------------------------------------------------------------ <https://www.mtg.de/de/aktuelles/MTG-AG-erhaelt-Innovationspreis-des-Bundesverbands-IT-Sicherheit-e.V-00001.-TeleTrust/> <https://www.itsa365.de/de-de/companies/m/mtg-ag> MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany Commercial register: HRB 8901 Register Court: Amtsgericht Darmstadt Management Board: Jürgen Ruf (CEO), Tamer Kemeröz Chairman of the Supervisory Board: Dr. Thomas Milde This email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error, please inform the sender immediately and delete this email.Unauthorised copying or distribution of this email is not permitted. Data protection information: Privacy policy <https://www.mtg.de/en/privacy-policy>
- [openpgp] Recap of the signature options [was: PQ… Aron Wussler
- Re: [openpgp] Recap of the signature options [was… Stephen Farrell
- Re: [openpgp] Recap of the signature options [was… Simon Josefsson
- Re: [openpgp] Recap of the signature options [was… Falko Strenzke
- Re: [openpgp] Recap of the signature options [was… Simon Josefsson